<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/fs, branch v3.2.36</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/fs?h=v3.2.36</id>
<link rel='self' href='https://git.amat.us/linux/atom/fs?h=v3.2.36'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2013-01-03T03:33:56Z</updated>
<entry>
<title>udf: fix memory leak while allocating blocks during write</title>
<updated>2013-01-03T03:33:56Z</updated>
<author>
<name>Namjae Jeon</name>
<email>namjae.jeon@samsung.com</email>
</author>
<published>2012-10-09T15:08:56Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=926304cc14587e7823af6bb910fbecbda5927325'/>
<id>urn:sha1:926304cc14587e7823af6bb910fbecbda5927325</id>
<content type='text'>
commit 2fb7d99d0de3fd8ae869f35ab682581d8455887a upstream.

Need to brelse the buffer_head stored in cur_epos and next_epos.

Signed-off-by: Namjae Jeon &lt;namjae.jeon@samsung.com&gt;
Signed-off-by: Ashish Sangwan &lt;a.sangwan@samsung.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>exec: do not leave bprm-&gt;interp on stack</title>
<updated>2013-01-03T03:33:45Z</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2012-12-20T23:05:16Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5f124a5db0b3f59232e24586ee75928793c87efb'/>
<id>urn:sha1:5f124a5db0b3f59232e24586ee75928793c87efb</id>
<content type='text'>
commit b66c5984017533316fd1951770302649baf1aa33 upstream.

If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.

Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm-&gt;buf, execution will restart after attempting to load matching
binfmt modules.  Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted.  They leave bprm-&gt;interp
pointing to their local stack.  This means on restart bprm-&gt;interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.

After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules.  As
such, we need to protect the changes to interp.

This changes the logic to require allocation for any changes to the
bprm-&gt;interp.  To avoid adding a new kmalloc to every exec, the default
value is left as-is.  Only when passing through binfmt_script or
binfmt_misc does an allocation take place.

For a proof of concept, see DoTest.sh from:

   http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/

Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: halfdog &lt;me@halfdog.net&gt;
Cc: P J P &lt;ppandit@redhat.com&gt;
Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>vfs: d_obtain_alias() needs to use "/" as default name.</title>
<updated>2013-01-03T03:33:45Z</updated>
<author>
<name>NeilBrown</name>
<email>neilb@suse.de</email>
</author>
<published>2012-11-09T00:09:37Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=150086ca6bd7493e7753f923a3f55e73701253b3'/>
<id>urn:sha1:150086ca6bd7493e7753f923a3f55e73701253b3</id>
<content type='text'>
commit b911a6bdeef5848c468597d040e3407e0aee04ce upstream.

NFS appears to use d_obtain_alias() to create the root dentry rather than
d_make_root.  This can cause 'prepend_path()' to complain that the root
has a weird name if an NFS filesystem is lazily unmounted.  e.g.  if
"/mnt" is an NFS mount then

 { cd /mnt; umount -l /mnt ; ls -l /proc/self/cwd; }

will cause a WARN message like
   WARNING: at /home/git/linux/fs/dcache.c:2624 prepend_path+0x1d7/0x1e0()
   ...
   Root dentry has weird name &lt;&gt;

to appear in kernel logs.

So change d_obtain_alias() to use "/" rather than "" as the anonymous
name.

Signed-off-by: NeilBrown &lt;neilb@suse.de&gt;
Cc: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
[bwh: Backported to 3.2: use named initialisers instead of QSTR_INIT()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>nfsd4: fix oops on unusual readlike compound</title>
<updated>2013-01-03T03:33:43Z</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2012-12-04T23:25:10Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=abae184041188034d52afe07103bc0ab6662ece0'/>
<id>urn:sha1:abae184041188034d52afe07103bc0ab6662ece0</id>
<content type='text'>
commit d5f50b0c290431c65377c4afa1c764e2c3fe5305 upstream.

If the argument and reply together exceed the maximum payload size, then
a reply with a read-like operation can overlow the rq_pages array.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>proc: pid/status: show all supplementary groups</title>
<updated>2013-01-03T03:33:43Z</updated>
<author>
<name>Artem Bityutskiy</name>
<email>artem.bityutskiy@linux.intel.com</email>
</author>
<published>2012-12-18T00:03:17Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=4efbbb6ce0d1d46e57be495e791c109277f07a14'/>
<id>urn:sha1:4efbbb6ce0d1d46e57be495e791c109277f07a14</id>
<content type='text'>
commit 8d238027b87e654be552eabdf492042a34c5c300 upstream.

We display a list of supplementary group for each process in
/proc/&lt;pid&gt;/status.  However, we show only the first 32 groups, not all of
them.

Although this is rare, but sometimes processes do have more than 32
supplementary groups, and this kernel limitation breaks user-space apps
that rely on the group list in /proc/&lt;pid&gt;/status.

Number 32 comes from the internal NGROUPS_SMALL macro which defines the
length for the internal kernel "small" groups buffer.  There is no
apparent reason to limit to this value.

This patch removes the 32 groups printing limit.

The Linux kernel limits the amount of supplementary groups by NGROUPS_MAX,
which is currently set to 65536.  And this is the maximum count of groups
we may possibly print.

Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Acked-by: Serge E. Hallyn &lt;serge.hallyn@ubuntu.com&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>NFS: avoid NULL dereference in nfs_destroy_server</title>
<updated>2013-01-03T03:33:38Z</updated>
<author>
<name>NeilBrown</name>
<email>neilb@suse.de</email>
</author>
<published>2012-12-13T04:14:36Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6f744386e26b664c948361d1ee539f258e4c2f8b'/>
<id>urn:sha1:6f744386e26b664c948361d1ee539f258e4c2f8b</id>
<content type='text'>
commit f259613a1e4b44a0cf85a5dafd931be96ee7c9e5 upstream.

In rare circumstances, nfs_clone_server() of a v2 or v3 server can get
an error between setting server-&gt;destory (to nfs_destroy_server), and
calling nfs_start_lockd (which will set server-&gt;nlm_host).

If this happens, nfs_clone_server will call nfs_free_server which
will call nfs_destroy_server and thence nlmclnt_done(NULL).  This
causes the NULL to be dereferenced.

So add a guard to only call nlmclnt_done() if -&gt;nlm_host is not NULL.

The other guards there are irrelevant as nlm_host can only be non-NULL
if one of these flags are set - so remove those tests.  (Thanks to Trond
for this suggestion).

This is suitable for any stable kernel since 2.6.25.

Signed-off-by: NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>nfsd: avoid permission checks on EXCLUSIVE_CREATE replay</title>
<updated>2013-01-03T03:33:35Z</updated>
<author>
<name>Neil Brown</name>
<email>neilb@suse.de</email>
</author>
<published>2012-12-07T20:40:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=65ad4f419b64f0f7768cb564fee61667737c6b5c'/>
<id>urn:sha1:65ad4f419b64f0f7768cb564fee61667737c6b5c</id>
<content type='text'>
commit 7007c90fb9fef593b4aeaeee57e6a6754276c97c upstream.

With NFSv4, if we create a file then open it we explicit avoid checking
the permissions on the file during the open because the fact that we
created it ensures we should be allow to open it (the create and the
open should appear to be a single operation).

However if the reply to an EXCLUSIVE create gets lots and the client
resends the create, the current code will perform the permission check -
because it doesn't realise that it did the open already..

This patch should fix this.

Note that I haven't actually seen this cause a problem.  I was just
looking at the code trying to figure out a different EXCLUSIVE open
related issue, and this looked wrong.

(Fix confirmed with pynfs 4.0 test OPEN4--bfields)

Signed-off-by: NeilBrown &lt;neilb@suse.de&gt;
[bfields: use OWNER_OVERRIDE and update for 4.1]
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
[bwh: Backported to 3.2:
 - Adjust context
 - Use current_fh as file handle in do_open_lookup()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>nfsd: fix v4 reply caching</title>
<updated>2013-01-03T03:33:16Z</updated>
<author>
<name>J. Bruce Fields</name>
<email>bfields@redhat.com</email>
</author>
<published>2012-11-16T20:22:43Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e88b9090be26e674bda11fbad6dd7056065c1196'/>
<id>urn:sha1:e88b9090be26e674bda11fbad6dd7056065c1196</id>
<content type='text'>
commit 57d276d71aef7d8305ff002a070cb98deb2edced upstream.

Very embarassing: 1091006c5eb15cba56785bd5b498a8d0b9546903 "nfsd: turn
on reply cache for NFSv4" missed a line, effectively leaving the reply
cache off in the v4 case.  I thought I'd tested that, but I guess not.

This time, wrote a pynfs test to confirm it works.

Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>NFS: Add sequence_priviliged_ops for nfs4_proc_sequence()</title>
<updated>2013-01-03T03:33:14Z</updated>
<author>
<name>Bryan Schumaker</name>
<email>bjschuma@netapp.com</email>
</author>
<published>2012-11-12T21:55:38Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ddca0d4a9d185520a9a6eb551a34ff0c6d70418c'/>
<id>urn:sha1:ddca0d4a9d185520a9a6eb551a34ff0c6d70418c</id>
<content type='text'>
commit 6bdb5f213c4344324f600dde885f25768fbd14db upstream.

If I mount an NFS v4.1 server to a single client multiple times and then
run xfstests over each mountpoint I usually get the client into a state
where recovery deadlocks.  The server informs the client of a
cb_path_down sequence error, the client then does a
bind_connection_to_session and checks the status of the lease.

I found that bind_connection_to_session sets the NFS4_SESSION_DRAINING
flag on the client, but this flag is never unset before
nfs4_check_lease() reaches nfs4_proc_sequence().  This causes the client
to deadlock, halting all NFS activity to the server.  nfs4_proc_sequence()
is only called by the state manager, so I can change it to run in privileged
mode to bypass the NFS4_SESSION_DRAINING check and avoid the deadlock.

Signed-off-by: Bryan Schumaker &lt;bjschuma@netapp.com&gt;
Signed-off-by: Trond Myklebust &lt;Trond.Myklebust@netapp.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
<entry>
<title>ext4: init pagevec in ext4_da_block_invalidatepages</title>
<updated>2013-01-03T03:33:09Z</updated>
<author>
<name>Eric Sandeen</name>
<email>sandeen@redhat.com</email>
</author>
<published>2012-11-15T03:22:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e14b82308631247bad28ba23db69468265d4e583'/>
<id>urn:sha1:e14b82308631247bad28ba23db69468265d4e583</id>
<content type='text'>
commit 66bea92c69477a75a5d37b9bfed5773c92a3c4b4 upstream.

ext4_da_block_invalidatepages is missing a pagevec_init(),
which means that pvec-&gt;cold contains random garbage.

This affects whether the page goes to the front or
back of the LRU when -&gt;cold makes it to
free_hot_cold_page()

Reviewed-by: Lukas Czerner &lt;lczerner@redhat.com&gt;
Reviewed-by: Carlos Maiolino &lt;cmaiolino@redhat.com&gt;
Signed-off-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Signed-off-by: "Theodore Ts'o" &lt;tytso@mit.edu&gt;
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
</entry>
</feed>
